Blocking EXE files but allowing file names

Hi Raido,

Hmm, thanks for your response but this didn't work.

I have created the custom category and set it to Alert for the policy that applies to me but when I tri the download again this is still being blocked. It doesn’t seem to override the file block policy. Is there a different way of doing this?

Cheers

Jack

You have to have 2 seperate security policies and 2 seperate File Blocking profiles.

Top sec policy will allow download of executables and you have URL category attached to it.

Hi,

I can go to the website and download the launcher fine, it’s other websites that I can’t access anymore (because I set all other categories to Block). In my mind I’m expecting to hit the top policy for downloads only (hence blocking everything else) then hit the regular policy below for all other traffic.

Palo is a "top down ACL" so if you're using all the same parameters except just chaning a profile the rules below the one above should be shadowed and not hit.

When you committed did you get a "shadowed rule" warning message?

Yeah so essentially, the match conditions are the same, so the traffic will hit the first rule that it applies to regardless of what file blocking profile you have. 

Is there any workaround for this at all? Would it be possible to setup an Untrust to Trust policy from the web server of where you're downloading from, which then has an alternate file blocking profile to allow this specific traffic I'm trying to download an EXE of?

The work around is a roll-up or integration of all match conditions and desired accesses/restirctions for the desired user security group.

Could you decipher that please..

For the sake of arguement:

Rule 1

Trust --> Any IP --> Security Group A --> UnTrust --> Any IP --> Application Web-Browsing --> Application-Default --> Any URL Category  --> Allow  --> URL Profile A  (Block Everything) / File Blocking Profile (Can transfer .pdfs only)

Rule 2

Trust --> Any IP --> Security Group A --> UnTrust --> Any IP --> Application Web-Browsing --> Application-Default --> Any URL Category  --> Allow  --> URL Profile A  (Allow Everything) / File Blocking Profile (Can transfer .pdfs only)

Rule 1 will shadow rule 2 because it's the same base session match criteria.  The application web-browsing will be allowed but the palo doesn't know which rule should "hit" WRT your URL match criteria.

Really the easiest way to do what you want is to do as Raido said.

1.  Create a Custom URL category (Call it whatever "Meeting") --> Add the URL download.citrixonline.com

2.  Create a File Blocking Profile ("EXE Allow") --> Allow exe files to download

3.  Create Rule

Trust --> Any IP --> Security Group A --> UnTrust --> Any IP --> Application Web-Browsing --> Application-Default --> "Meeting"  --> Allow  --> NO URL PROFILE / File Blocking Profile "EXE Allow"

have this rule be above your "Security Group A" "Web-Browsing" rule.  This above rule will only allow users access to the URL "download.citrixonline.com" and will allow them to download .exe files.

Hi Brandon,

Thanks for your reply.

Adding the download.citrix URL to the category alone didn't resolve the issue, however I believe I have fixed it. In the traffic logs, when accessing the GoToMeeting link I saw an IP address which then after an nslookup resolved to apiglobal.gotomeeting.com. I added this as well to the custom URL category which allowed me to use GoToMeeting and still block EXE files.

Thanks for your help

Jack